UDP replies do not reach FW-context (FWSM)

This problem is also firewall and wireless related, but it appears to go wrong on the router/switch.

I have lightweight acces-points (LAPs) on a subnet behind a redundant routed firewall context on an FWSM in a 6509. This context has a DHCP relay configured.

The outside of the firewall is connected to the router (MSFC) through an interface vlan.

On that same chassis, a PIX525 is connected. Behind that PIX is the WLC and the DHCP-server.

When the LAP powers on, it does an DHCP request. The context relays it to the DHCP server, and the response is sent to the LAP. In that response is the IP-address of the WLC, which is on the same subnet as the DHCP server.

Next step is a join request to the controller (udp to WLC on port 12223).

When I use the capture facility on the firewall, I see the packet entering the inside interface, and leaving the outside on the FWSM. I do not see any responses.

NExt I do the same on the PIX outside: there I see the requests to the WLC, but also the responses FROM the WLC. I do not see those responses on the OUTSIDE of the context of the FWSM!

I use the following ACL for capturing data:

access-list lwapp permit ip any host 192.168.43.10

access-list lwapp permit ip host 192.168.43.10 any

capture wlc access-list lwapp interface outside

Where 192.168.43.10 is the IP-address of the WLC

show capture wlc detail

gives me the packets i need to see.

On the inside of the context this gives me only join requests

On the outside of the context this gives me only the join requests

On the outside of the PIX this gives me bot the join request and the join response

Replies

It appears the WLC is discovered using the management IP-address (43.10 in my case), but the join response is coming from the AP-manager IP address (43.25). That second address was blocked by the firewall, and once allowed, all worked like a charm.

It appears the capture option of the FWSM is not as reliable as a sniffer on a SPAN port (thank you, Mike!)